Codonics Safe Label System User guide

IT Resource Guide

for

Codonics®

Safe Label System®

(Software Release 3.1.x)

Codonics® Safe Label System®

SLS 550i/600i Point of Care Station (SLS PCS)

Codonics Safe Label System: IT Resource Guide

Product Contact Information

Company Headquarters

Codonics Inc.

17991 Englewood Drive

Middleburg Hts., OH 44130

USA

Phone: 440.243.1198

800.444.1198

Fax: 440.243.1334

Email: [email protected]

Hours: 8:30 AM-5:30 PM ET, Mon-Fri (Closed official U.S. holidays)

Technical Support

Phone: 440.243.1198

800.444.1198

Fax: 440.243.1334 (Attn: SLS Tech Support -or- your support contact person)

Email: [email protected] for new support requests -or-

the email address of the support person you are working with.

Hours: 8:30 AM-5:30 PM ET, Mon-Fri (Closed official U.S. holidays)

After-hours, existing SLS customers can leave a message for a return call.

Sales

Phone: 440.243.1198

800.444.1198

Fax: 440.243.1334 (Attn: SLS Sales -or- your sales contact)

Email: [email protected]

Hours: 8:30 AM-5:30 PM ET, Mon-Fri (Closed official U.S. holidays)

Product Notices

Important information about the SLS product, including software updates and cybersecurity notices can be

found at: www.codonics.com/notices.

Legal Notice

This document and the designs, specifications, and information disclosed herein are the property of Codonics,

Inc., and are not to be disseminated or reproduced without express written consent from Codonics, Inc.

Trademarks

Codonics, the Codonics logo, “We bring the future into focus” and Safe Label System are registered

trademarks of Codonics, Inc.

Windows is a registered trademark of Microsoft Corporation in the United States and/or other countries. Java

is a registered trademark of Oracle and/or its affiliates. All other registered and unregistered trademarks are

the property of their respective owners.

 
Codonics Safe Label System: IT Resource Guide      
Copyright © 2009-2023, Codonics, Inc.    P/N: 900-653-013.06 
 
 

TABLE OF CONTENTS 
Overview ................................................................................................................................................ 5 
System Description ............................................................................................................................... 6 
System Details ....................................................................................................................................... 7 
1 SLS PCS (Point of Care Stations - Models SLS 550i/600i) ............................................. 7 
2 SLS AT (Administration Tool) ......................................................................................... 10 
3 SLS EN (Email Notifier) .................................................................................................. 14 
System Accessories ............................................................................................................................ 15 
1 SLS WAVE Scanner ....................................................................................................... 15 
2 SLS PCS Accessories .................................................................................................... 15 
3 SLS AT Accessories ....................................................................................................... 15 
4 SLS EN Accessories ...................................................................................................... 16 
System Workflow ................................................................................................................................. 17 
1 SLS PCS ........................................................................................................................ 17 
2 SLS AT ........................................................................................................................... 17 
3 SLS EN ........................................................................................................................... 17 
System PII and User Accounts ........................................................................................................... 18 
1 SLS PCS ........................................................................................................................ 18 
2 SLS AT ........................................................................................................................... 18 
3 SLS EN ........................................................................................................................... 18 
4 SSH ................................................................................................................................ 19 
System PHI ........................................................................................................................................... 20 
1 SLS PCS ........................................................................................................................ 20 
2 SLS AT ........................................................................................................................... 20 
3 SLS EN ........................................................................................................................... 20 
System Networking ............................................................................................................................. 21 
1 SLS PCS ........................................................................................................................ 21 
2 SLS AT ........................................................................................................................... 23 
3 SLS EN ........................................................................................................................... 23 
4 Third-Party Device Integration ........................................................................................ 24 
System Logs ........................................................................................................................................ 26 
1 SLS PCS ........................................................................................................................ 26 
2 SLS AT ........................................................................................................................... 26 
3 SLS EN ........................................................................................................................... 26 
System Backup .................................................................................................................................... 27 
1 SLS PCS ........................................................................................................................ 27 
2 SLS AT ........................................................................................................................... 27 
3 SLS EN ........................................................................................................................... 27 
Remote Access, Cloud and SaaS ....................................................................................................... 28 
System Specifications ........................................................................................................................ 29 
1 SLS 550i PCS ................................................................................................................. 29 
2 SLS 600i PCS ................................................................................................................. 30 
Appendix A – Network Diagram (Full System) .......................................................................................... 31 
Appendix B – Network Ports and Protocols .............................................................................................. 32 
Appendix C – Mechanical Drawings ........................................................................................................... 34 
Appendix D – Confidential Addendum Request Procedure ..................................................................... 35 
Appendix E – Security Recommendation and Best Practices ................................................................. 36 

Codonics Safe Label System: IT Resource Guide

Appendix F – SLS Software Update Policy and Process .......................................................................... 48

Codonics Safe Label System: IT Resource Guide

1. Overview

This document contains software, hardware and network information related to the Codonics® Safe Label

System® with Software Release 3.1.x. The purpose of the document is to assist IT staff and users with the

deployment of the Safe Label System in healthcare environments.

Codonics Safe Label System: IT Resource Guide

2. System Description

The Safe Label System (“SLS”) is an FDA-cleared Class II medical device (510K K101439) that improves

the safety and accuracy of medication preparation and labeling compliance anywhere medications are

prepared.

The Safe Label System consists of three main components:

• SLS PCS. The SLS Point-of-Care Stations (“SLS PCS”) are embedded devices used by anesthesia

providers in operating rooms and other anesthetizing locations to label drugs that are prepared into

secondary containers such as syringes and IV bags. The current shipping SLS PCS models are the

SLS 550i and SLS 600i.

Note: SLS Software Release 3.0.0 and higher no longer supports some older SLS 500i devices. The

serial numbers of the unsupported SLS PCS devices start with 140C and 141C. Customers with these

older SLS PCS 500i models should contact the Codonics Sales Department (800.444.1198, 8:30 AM-

5:30 PM ET, Mon-Fri) for upgrade options.

• SLS AT. The SLS Administration Tool (“SLS AT”) is a Windows-based application installed and run on

a hospital-supplied server or computer. It is a required component of the Safe Label System. The SLS

AT is typically accessed by the pharmacy using a web browser to maintain the drug formulary and

safety configuration settings of the SLS PCS devices.

• SLS EN. The SLS Email Notifier (“SLS EN”) is a Windows-based application that runs as a background

service without a UI (see section 3.3 SLS EN (Email Notifier) for more details). The SLS EN is installed

and runs on a hospital-supplied server or computer. It can also be run on the same system hosting the

SLS AT. The SLS EN is an optional application that monitors the status and user events of the SLS

PCS devices connected to the network and generates emails to specified users or groups with

notifications that require attention.

The SLS workflow is designed for safe, efficient preparation and labeling of drugs. SLS PCS devices are

typically installed on the hospital network and receive drug formulary and safety configuration settings from

the SLS AT over the network. Users scan the NDC barcode on a drug vial or ampoule using an SLS PCS

built-in barcode reader to print a compliant, color-coded drug identification label that is affixed to a syringe or

IV bag. For safety, the recommended workflow is: Scan one vial; print one label; prepare one syringe; label

one syringe.

SLS Security Note

Refer to Appendix E – Security Recommendation and Best Practices for details on configurating SLS

components for improved network security.

Codonics Safe Label System: IT Resource Guide

3. System Details

This section provides technical details of the three major SLS components.

3.1 SLS PCS (Point of Care Stations - Models SLS 550i/600i)

The SLS Point-of-Care Station (“SLS PCS”) is a standalone drug labeling device that uses embedded

hardware and software manufactured by Codonics. The SLS PCS contains a color inkjet label printer,

embedded computer, flash memory storage, LCD display, touchscreen interface, speaker, barcode scanner,

Ethernet, optional Wi-Fi interface, and USB ports.

The SLS PCS does not require the addition of any customer-supplied software or hardware. The devices are

typically installed on drug dispensing carts or near drug preparation areas in operating rooms, PACUs, ICUs,

or pharmacies.

The SLS PCS devices can be connected to a LAN network via Ethernet or Wi-Fi. Wi-Fi connections require

the installation of an optional Wi-Fi module and Feature Key that are available from Codonics. Connecting

SLS PCS units to a network will simplify device monitoring and installation of formulary and software

updates from the SLS AT (see section 8 System Networking for more information on SLS network

capabilities).

The SLS PCS can also be operated via air-gap (aka. “sneaker-net”) without a network connection. When

used in an air-gap configuration, formulary and configuration settings updates from the SLS AT must be

transferred manually to each SLS PCS device using a site-supplied, unencrypted FAT or FAT32 formatted

USB drive.

The SLS PCS uses an embedded SQL database for storage of drug formulary information, configuration

information and log files. Only the embedded software on the SLS can access the database.

Software updates for the SLS system including the SLS PCS, SLS AT and SLS EN are tested, approved,

and released by Codonics according to the following policy.

3.1.1 SLS PCS Hardware

The following is a summary of the major hardware components of SLS PCS models supported by Software

Release 3.1.x.

Codonics Safe Label System

Software Security Update Policy

Codonics performs ongoing monitoring of the Safe Label System (“SLS”) solution for software

vulnerabilities and schedules regular software updates with security patches at least once per calendar

year. If a significant software vulnerability is discovered between scheduled releases, Codonics will

assess the risk posed and release documentation addressing the specific concerns including

instructions to mitigate the vulnerability or a software update as required. Software updates are

distributed in a proprietary, digitally-signed file format called “packages” to ensure the integrity of the

software. Information about the availability of important software updates and cybersecurity notices will

be posted on the Codonics website at: www.codonics.com/notices.

Codonics Safe Label System: IT Resource Guide

SLS PCS Hardware Information

Component Name

Processor

RAM

Storage Capacity

SW Support

SLS 500i

Serial Numbers

Starting with:

142C

Intel Atom

(embedded)

2 GB

(embedded)

32 GB

Solid State Drive

(embedded)

3.0.x

(current)

SLS 550i

Serial Numbers

Starting with:

143C, 144C

Intel Atom

(embedded)

2 GB

(embedded)

32 GB Minimum

Solid State Drive

(embedded)

3.1.x

(current)

SLS 600i

Serial Numbers

Starting with:

170C

Intel Atom

(embedded)

2 GB

(embedded)

32 GB Minimum

Solid State Drive

(embedded)

3.1.x

(current)

3.1.2 SLS PCS Software

For security reasons, some details about the internal software components used in the SLS PCS are only

made available under NDA (Non-Disclosure Agreement). Refer to Appendix D – Confidential Addendum

Request Procedure for more information.

3.1.3 SLS PCS Virtualization

The SLS PCS application and operating system are embedded and cannot be virtualized.

3.1.4 SLS PCS Software Security

The SLS PCS uses a custom operating system (SLS OS 3) and application software designed to reduce

security vulnerabilities using the following techniques:

• Disable unnecessary user, administrative accounts, and login functions of the device.

• Remove or disable unnecessary software from the device.

• Block incoming network connection requests on unused ports (refer to Appendix B – Network Ports and

Protocols for more information on SLS network ports).

• Encrypt all network access credentials stored on the device (e.g., certificates, passwords, security

keys).

• Encrypt all incoming network communications between SLS devices using 128-bit SSL based on the

SSH-2 protocol (RFC 4251).

• Cryptographically sign important internal data to detect unintended modification.

• Install only software and data updates with proper digital signatures on the device.

• Disable standard boot functions to prevent unauthorized software installation.

• Permit operation with or without a network (e.g., air-gap, sneaker-net).

3.1.5 SLS PCS Touchscreen Keyboard

The SLS PCS uses a touchscreen keyboard for entry of some data fields. The touchscreen keyboard

includes the most common characters required for typical data entry fields.

Codonics Safe Label System: IT Resource Guide

Touchscreen Keyboard (Alphabetic):

Touchscreen Keyboard (Special Characters):

Touchscreen Keyboard (Numbers):

USB Keyboard Connection to SLS PCS

If a character is required that is not a part of the SLS PCS touchscreen keyboard (e.g., colon, semi-

colon), a standard USB keyboard can be temporarily connected to the SLS PCS USB port on the left

side of the touchscreen. The touchscreen keyboard will also work while the USB keyboard is

connected to the SLS PCS.

Codonics Safe Label System: IT Resource Guide

3.2 SLS AT (Administration Tool)

The SLS AT is a Windows-based Java application used to create and maintain the drug formulary and

configuration files required by SLS PCS devices. Additionally, the SLS AT allows remote monitoring and

updating of software on SLS PCS devices when they are connected to a network.

3.2.1 SLS AT Installation

The SLS AT application is installed in a server configuration that allows users access from a web browser on

the same network. A list of compatible browsers is provided in section 3.2.6 SLS AT Software.

The SLS AT application and data are entirely hosted on customer premises. The application runs as a

service on a site-supplied Windows computer system or server.

Notes:

• One instance of the SLS AT is typically installed at a site. In circumstances where multiple copies of the

AT need to be installed, please contact Codonics Technical Support for assistance.

• The SLS AT will lock access to the local data directory when the application is running. This prevents

concurrent access to data in the data directory, regardless of whether a user is currently logged into the

AT.

3.2.2 SLS AT Data Information

The SLS AT utilizes a single directory tree that contains all data files for one instance of the drug formulary

and associated configuration information. The structure of individual data files is generally unique to a

specific software version of the SLS AT. A data migration tool is supplied with major releases of the SLS AT

software to convert data files when moving to newer versions.

The SLS AT uses file locking to restrict access so that only one running instance of the AT can access the

data directory at a time. The SLS AT application and the data directory should be located on the same drive.

3.2.3 SLS AT Hardware Requirements

Minimum Configuration

Recommended Configuration

Processor

Core i7-4790K / Xeon E3-1286 v3

or faster.

Processor

Core i7-11700K / Xeon E-2336

or faster.

RAM

6 GB

RAM

8 GB

Application

Disk Space

10 GB

Application

Disk Space

30 GB

Notes:

• For best performance, use a locally attached SSD or high-speed RAID for hosting the SLS AT data

directory.

SLS AT Security Note

Refer to Appendix E – Security Recommendation and Best Practices for details on configuring SLS

components for improved network security.

SLS AT Additional Hardware and Software Requirements

The SLS AT (Administration Tool) application only requires the customer to supply a Microsoft

Windows-based server or computer that meets the software and hardware requirements described

later in this section. All other software modules required by the SLS AT are included and automatically

installed when the SLS AT is installed. No additional 3rd party software packages such as databases or

Java need to be supplied by the customer.

Codonics Safe Label System: IT Resource Guide

• A processor with at least four cores is recommended in hosting systems.

• When running more than one instance of the SLS AT on the same hosting system, increase the system

RAM by at least 3 GB for each additional instance.

• The hardware configurations shown are sufficient for running the SLS EN (Email Notifier) on the same

system hosting the SLS AT.

3.2.4 SLS AT Hardware Requirements for Upgrades

Customers that are running previous versions of the SLS AT or SLS EN in a server configuration can use

the following guidelines to determine if the existing system is sufficient to run new versions of SLS AT and

SLS EN.

• The existing processor should have at least four cores.

• The Passmark Single Thread Rating of the processor should be at least 2250 to meet minimum

performance criteria. The recommended Single Thread Rating is at least 3200 for best performance.

The Passmark rating of most processors is available at:

https://www.cpubenchmark.net/cpu_list.php

• Follow the RAM and Disk Space recommendations in the previous section.

• Follow the Windows operating system recommendations in the upcoming sections.

3.2.5 SLS AT Virtualization

The SLS AT allows virtualization using common virtual environments such as VMware ESXi and Citrix

XenServer. Codonics does not explicitly support any particular virtual environment. Codonics will make

reasonable efforts to assist customers with set up and operational questions regarding virtualization, but the

customer is responsible for ensuring the proper operation of the SLS AT in the virtual environment.

Hardware requirements shown in section 3.2.3 SLS AT Hardware Requirements are sufficient for running a

virtualized SLS AT with the following additional considerations:

• At least two CPU cores should be allocated to the VM.

• When running more than one instance of the SLS AT on the same virtual machine, allocate one more

CPU core to the VM and increase the system RAM by at least 3 GB for each additional instance.

• When running the SLS EN on the same virtual machine as the SLS AT, allocate one more CPU core to

the VM and increase the system RAM by at least 3 GB.

• Virtualization of the SLS AT or SLS EN using Cloud based systems is not recommended.

3.2.6 SLS AT Software

For security reasons, some details about the internal software components used in the SLS AT are only

made available under NDA (Non-Disclosure Agreement). Refer to Appendix D – Confidential Addendum

Request Procedure for more information.

Codonics Safe Label System: IT Resource Guide

SLS AT Software Information

Application Name

Version #

Description

SLS AT

Application

3.1.x

Codonics software version.

Windows OS

(Supported)

8.1, 10

2016, 2019, 2022

64-bit version required.

Approved operating systems to run the SLS AT. The

operating system and computer hardware for

running the SLS AT are supplied by site.

Edge (old version)

Edge (new version)

Chrome

Firefox (see notes)

Safari (see notes)

115 (or higher)

116 (or higher)

Not Supported

A web browser is required for the SLS AT to

operate. Internet Explorer, Edge (both old and new

versions) and Chrome are recommended.

Notes:

• Firefox works but has some known issues.

• Safari is not supported or recommended.

3.2.7 SLS AT Java Information

The SLS AT is designed and tested with the version of Java that is bundled with the SLS AT software. The

correct version of Java is automatically installed with the SLS AT. The bundled Java runtime used by the

SLS AT is not registered on the hosting system as a public resource and is not visible or accessible to other

applications running on the same system.

Other versions of Java can be installed on the same system hosting the SLS AT for other purposes, but they

will not be used by the SLS AT.

The SLS AT includes the latest security patches for the version of Java bundled in at the time of release.

Java vulnerabilities that may be found in the future are typically relevant only when Java is registered on the

system and used by other applications (such as browsers that run Java applets). The version of Java

embedded in the SLS AT is only accessed by the AT and not registered on the system as a general-purpose

Java runtime for use by other applications. This significantly mitigates the risk of Java vulnerabilities found

after the SLS AT software is released. Codonics monitors security vulnerabilities to the SLS software and

manages them as described in our Software Security Update Policy in section 3.1 SLS PCS (Point of Care

Stations - Models SLS 550i/600i).

3.2.8 SLS AT Miscellaneous Information

The SLS AT is installed and run on computer equipment provided by the medical institution (refer to section

3.2.3 SLS AT Hardware Requirements).

Web browsers accessing the SLS AT do not require any add-ons such as Flash, Shockwave, Active-X, or

Java.

The SLS AT uses an embedded SQL database for storage of drug information, configuration information

and log files. The database is not accessible to other applications.

Security patches and anti-virus or malware protection for the Windows system hosting the SLS AT are the

responsibility of the site administrators and can be installed as necessary. The SLS AT is compatible with

most anti-virus and malware applications.

Do Not Change Installed Java Version

No attempts should be made to change the Java version that is automatically installed with the SLS

AT and SLS EN. The Safe Label System is an FDA cleared medical device that is verified and

validated as a complete system with specific versions of software components such as Java. Codonics

includes updates to Java as required when new SLS software versions are released.

Codonics Safe Label System: IT Resource Guide

Updates to the SLS AT application and supporting software components are tested, approved, and released

by Codonics. No other changes to the installed SLS AT software should be made.

Codonics Safe Label System: IT Resource Guide

3.3 SLS EN (Email Notifier)

The SLS EN is a Windows-based Java application that is site configurable to periodically send users email

status messages related to SLS PCS devices using the customer’s email server. The SLS EN has no UI and

runs in the background as a service. All administrative interactions with the SLS EN are done with a CLI

using a CMD prompt on the hosting Windows system. The application can be started manually with a CLI

command from CMD prompt or set up to automatically start using a Windows start up script.

The email messages produced by SLS EN contain information about the status of SLS PCS devices such as

“Out of media”, or information about user events such as “Drug not found” when a vial is scanned by a user

that is not in the drug formulary. Messages can be sent to individual users or groups of users. The SLS EN

can only report information retrieved from SLS PCS devices that are network accessible by the system

hosting the EN application.

The SLS EN is typically run as a system process on a Windows system owned by the customer. Security

patches to the Windows operating system hosting the SLS EN are the responsibility of the site

administrators. Updates to the SLS EN application are tested, approved, and released by Codonics.

Codonics has a policy to monitor security-related vulnerabilities in the SLS EN and release updates as

required.

3.3.1 SLS EN Hardware Requirements

The SLS EN hardware requirements are the same as the SLS AT. The SLS EN can be installed on the

same system running the SLS AT. Refer to section 3.2.3 SLS AT Hardware Requirements for details.

3.3.2 SLS EN Virtualization

The SLS EN allows virtualization, but Codonics does not explicitly support any particular virtual environment.

The virtualization information for the SLS AT also applies to the SLS EN. Refer to section 3.2.5 SLS AT

Virtualization for details.

3.3.3 SLS EN Software

For security reasons, some details about the internal software components used in the SLS EN are only

made available under NDA (Non-Disclosure Agreement). Refer to Appendix D – Confidential Addendum

Request Procedure for more information.

3.3.4 SLS EN Java Information

The SLS EN is designed and tested with a version of Java that is bundled with the SLS EN software. Java is

automatically installed with the SLS EN application. The Java information for the SLS AT is the same as the

Java information for the SLS EN. Refer to section 3.2.7 SLS AT Java Information for more information about

how Java is managed.

SLS EN Additional Hardware and Software Requirements

The SLS EN (Email Notifier) application only requires the customer to supply a Microsoft® Windows-

based computer that meets the software and hardware requirements described in this section. The

SLS EN runs in the background as a service and has no UI. All administrative interactions with the

SLS EN are performed through CLI commands using a CMD prompt on the hosting system. All other

software modules required by the SLS EN are included and automatically installed when the SLS EN

is installed. No additional 3rd party software packages such as databases or Java need to be supplied

by the customer.

Codonics Safe Label System: IT Resource Guide

4. System Accessories

The following accessories are optional components of the Codonics Safe Label System.

4.1 SLS WAVE Scanner

The SLS WAVE® (Codonics Part Number: SLS-WAVE) is an optional “hands-free” barcode scanner that

connects via USB-2 to the local AIMS/EHR system in the operating room to record the U.S. National Drug

Code* (NDC) number of the drug being administered to the patient. Several common AIMS systems

including Epic, support the SLS WAVE scanner. The SLS WAVE is optimized for reading barcodes on

syringe labels produced by the SLS PCS and transmitting that data to the AIMS/EHR system. The scanner

connects to the AIMS computer using a USB cable (included) and special drug cart mounting hardware

(included) to allow “hands-free” scanning of syringes by the anesthesia provider. The syringe label produced

by the SLS PCS is configured to include a barcode with the NDC number of the drug used to fill the syringe.

An anesthesia provider “waves” the syringe label barcode in front of the SLS WAVE scanner to send the

NDC number to the AIMs. The SLS WAVE does not require the installation of any special software, external

power supplies or network connections.

(*) In other countries, the container ID and not the NDC is passed to the AIMS/EHR when the syringe is

scanned at administration.

4.2 SLS PCS Accessories

4.2.1 SLS PCS Hand Scanner

An optional external barcode hand scanner (Codonics Part Number: SLS500-HSCN) connects to the SLS

PCS with a 6-foot USB cord and allows scanning of drug containers without bringing the containers to the

built-in scanner of the SLS. The hand scanner is enabled by a Codonics-issued Feature Key installed on the

SLS PCS and by clearing (un-checking) the Disable Wired Hand Scanner setting in the SLS AT

Configuration Safety menu.

Codonics ships the hand scanner pre-programmed to operate with the SLS PCS. If scanner settings are

changed, they can be reprogrammed using the procedure described in the Codonics Tech Brief (Codonics

Part Number 901-260-003). When the hand scanner is connected to the SLS PCS, both the built-in scanner

and hand scanner can be used to read barcodes.

4.2.2 SLS PCS Wi-Fi Adapter

An optional Wi-Fi adapter is available from Codonics that plugs into a USB port on the bottom of the SLS

PCS (Codonics Part Number: SLS500-WI-FI.) The Wi-Fi adapter is enabled by a Codonics-issued Feature

Key installed on the SLS PCS. When the Wi-Fi adapter is enabled, both the built-in Ethernet port and Wi-Fi

can be configured and used concurrently. However, the most common configuration is for only one network

interface to be active at a time. See section 8 System Networking for more details.

4.3 SLS AT Accessories

4.3.1 SLS AT Hand Scanner

A barcode hand scanner is required for learning and verifying drug containers with the SLS AT. Codonics

supplies a barcode scanner in the SLS AT Accessory Kit (Codonics Part Number: AT-ACC-KIT-2). The hand

scanner settings must be programmed by the site to ensure proper operation with the SLS AT. The

programming procedure is described in the Codonics Tech Brief provided with the scanner (Codonics Part

Number 901-249-006).

Other third-party USB barcode scanners configured as an HID device, with AIMS code support and

appropriate barcode symbologies enabled can be used. Hand scanners from Zebra (formerly Motorola),

Honeywell, Code and Datalogic have been used successfully with the SLS AT. Codonics does not

guarantee the operation of any third-party hand scanner other than the Codonics supplied scanner

(Codonics Part Number: AT-ACC-KIT-2).

Codonics Safe Label System: IT Resource Guide

4.4 SLS EN Accessories

The SLS EN has no accessories.

Codonics Safe Label System: IT Resource Guide

5. System Workflow

Each component of the Safe Label System has a unique workflow. This section describes the workflow of

individual components after they are set up and operational.

5.1 SLS PCS

A user, such as an anesthesia provider, logs in using the SLS PCS touchscreen display or a barcode on a

user badge printed by the SLS PCS. Once logged in, the user can scan barcodes on drug containers (vials,

ampoules, etc.) using the built-in barcode reader or optional tethered USB hand scanner. The user enters

any additional information, such as diluents and dilution concentrations, required to prepare the drug using

the touchscreen display. The SLS PCS uses the embedded inkjet printer to print a color label designed for

application to a syringe or other secondary drug container.

The SLS PCS stores information about the drug being prepared including user information and preparation

date and time in internal logs files. All user interactions with the SLS PCS including logins, logouts, drugs

prepared, cancelled preparations and other user inputs are also logged by the SLS PCS. The SLS AT can

retrieve log files from the SLS PCS devices over the network or the user can make a copy of the log files

onto a customer-supplied, unencrypted FAT32 formatted USB drive connected to the SLS PCS. Data

analytic tools are available from Codonics to extract user and drug related information for presentation in a

user-friendly form.

5.2 SLS AT

The user, typically a pharmacist, connects to the SLS AT application with a web browser and logs in. Drug

information is imported into a Master Drug Database (MDD) from trusted sources such as an internal

pharmacy drug list in CSV format or a third-party drug database such as Lexicomp. The user can also enter

drug information manually.

Once the MDD is populated, the user selects a set of drugs, known as the “formulary”, that will be accepted

by the SLS PCS. Other drug information such as dilutions, diluents, label color, label pattern, expiration time

and warning messages are added by the user to complete the formulary. The user then approves the final

formulary and builds a file package to be deployed to SLS PCS devices over the network or via USB flash

drive.

The user can also control certain operational aspects of SLS PCS devices by modifying configuration

settings with the SLS AT and deploying a configuration package to the devices similar to the way formulary

packages are distributed. All SLS AT data is stored in a configurable directory location (see

section 3.2.2 SLS AT Data Information for more details). The site is responsible for backing up the SLS AT

data directory (see section 10 System Backup).

5.3 SLS EN

The SLS EN can be configured to start automatically as a system process on the computer system hosting

the EN application or the user can run the application at a command prompt. Once the EN is set up and

configured, no further user interaction is required.

Codonics Safe Label System: IT Resource Guide

6. System PII and User Accounts

6.1 SLS PCS

SLS PCS user accounts are initially created using the touchscreen display and stored locally on the device.

User accounts can be optionally created on the SLS AT using a licensed feature called SLS Centralized

User Management and installed on SLS PCS devices over the network or via a USB drive as part of the

configuration package settings. There are no default user accounts built into current SLS software.

User accounts contain limited Personally Identifiable Information (PII) that includes the username (up to 38

characters), user initials (up to 3 characters), an alpha-numeric user ID (up to 16 characters) and an optional

PIN security code (up to 10-digits). The PIN security code is encrypted using PBKDF2 hashing.

The SLS PCS can print a user badge label with a barcode to simplify future logins by scanning the barcode

on the SLS PCS device. An account created on one SLS PCS is automatically created on other SLS PCS

devices when the barcode on the user badge is scanned for login. Users that do not login with the user

badge will need to create an account on each SLS PCS device using the touchscreen display or with the

SLS Centralized User Management feature. All SLS PCS user accounts have the same permission level.

There is no method for normal users of the SLS PCS to remove user accounts once created. Codonics

Technical Support can provide information to customers for removing user accounts. User accounts created

with the SLS Centralized User Management feature can also be removed with that feature.

The SLS PCS does not use LDAP or Active Directory for managing user accounts on the devices. All user

account activity related to creation, login and logout is logged and stored locally on the SLS PCS devices.

The SLS PCS supports an auto-logout function with a configurable timeout that can be enabled using the

configuration settings of the SLS AT. There is no policy to enforce changing of SLS PCS PIN codes at

regular intervals, but accounts created with the SLS Centralized User Management feature can be

configured and require the user to enter a PIN code the first time the account is used.

6.2 SLS AT

The SLS AT supports three types of user authentication for login: (1) Windows Active Directory, (2) Secure

LDAP (aka LDAPS), and (3) a single built-in login account with a site configurable password. When the SLS

AT is initially installed, the built-in login account is active. Once logged into the built-in account, the login AT

can be configured to use an alternate login authentication method such as Active Directory or LDAPS.

The SLS AT built-in login account can be configured after the initial login to require a strong password. The

built-in login username cannot be changed. The built-in account password is encrypted for local storage in

the SLS AT database using PBKDF2 hashing. An auto-logout function is configurable on the SLS AT with a

default setting of 30 minutes. There is no policy or setting available to enforce changing the built-in SLS AT

password at regular intervals.

Active Directory and LDAPS support on the SLS AT restrict user logins to only those users who are a

member of a specified Security Group on the hospital domain. The Security Group is a configurable setting

on the SLS AT.

Notes:

The SLS AT logs the username of successful and unsuccessful user login attempts.

When the SLS AT is used to manage SLS PCS devices on a network, the SLS AT can receive and store

limited amounts of PII information received from the SLS PCS devices including the SLS PCS user IDs and

user initials.

6.3 SLS EN

The SLS EN does not require configuration of user accounts or passwords. Access to the SLS EN

application and associated files depends solely on the login security of the Windows operating system

hosting the SLS EN application.

Codonics Safe Label System: IT Resource Guide

The SMTP functions of the EN may require login and password information depending on the configuration

of the email server at the customer site. This information is contained in text configuration files set up on the

hosting system by the site. The EN uses a special SSH read-only password to retrieve status information

from SLS PCS devices. The SSH password is also set in a text configuration file on the hosting system.

Notes:

• The EN stores some PII in the form of email addresses required to deliver notification messages

through the customer site email server.

• The EN processes some PII information received from SLS PCS devices on the network including the

SLS PCS user IDs and user initials.

6.4 SSH

All network communications between the SLS AT or SLS EN applications and the SLS PCS devices are

handled by SSH and SCP protocols using 128-bit SSL encryption based on the SSH-2 protocol (RFC 4251)

with AES-128-ctr ciphers for communications and diffie-hellman-group1-sha1 for key exchange. Two

passwords for SSH/SCP are assigned to the SLS AT and SLS PCS devices that can be changed by the site.

The first password, called the “Read-only password”, is for retrieving SLS PCS device status information.

The other password, called the “Read-write password”, is for updates transferred from the SLS AT to the

SLS PCS over the network. SSH passwords for the SLS AT and SLS PCS are encrypted using SHA-512

hashing and stored locally on the respective applications or devices. The SLS EN only uses the Read-only

password to retrieve status information from the SLS PCS. The SLS EN does not require the Read-write

password. The Read-only password is set by the site administrator in a text configuration file on the

Windows system hosting the SLS EN application.

Codonics Safe Label System: IT Resource Guide

7. System PHI

No SLS components require or use Protected Healthcare Information (PHI).

7.1 SLS PCS

The SLS PCS devices do not receive, store, process or transmit PHI.

7.2 SLS AT

The SLS AT does not receive, store, process or transmit PHI.

7.3 SLS EN

The SLS EN does not receive, store, process or transmit PHI.

Codonics Safe Label System User guide

Related papers

Other documents